April 30, 2014

In the truly grand scheme of things, the Heartbleed security flaw currently only affects a very small portion of the Internet. According to researchers, the flaw affects roughly 500,000 websites, and many have already been patched.

However, it has also come to light that the patch to the “secure socket” program, which encrypts data online and thus protects user information on secure sites, was only made after two years of vulnerability on some of the most heavily trafficked sites online.

These include Facebook, Google, YouTube, Yahoo and Wikipedia. As a result, an untold number of regular Internet users might have had at least some of their key personal information compromised when using those websites.

Some Internet users are already taking action, but it might not be enough say security experts; and now, one in five IT security professionals have said that their enterprises have been the target of advanced persistent threat (APT), and that 62 percent of organizations have not increased security training in 2014 to combat this threat. This was according to the ISACA 2014 APT Survey.

In addition, a new study conducted by the Pew Research Center’s Internet & American Life Project revealed this month that only 39 percent of Internet users, after hearing of the online security problem, took the steps to protect their online accounts, either by changing their passwords or even canceling their accounts entirely. Only six percent think that their personal information was swiped, yet 29 percent of Internet users believe their personal information was put at risk because of the Heartbleed bug.

It is also possible that the message about the dangers of the Heartbleed bug isn’t getting through to many users. While some 60 percent of adult respondents – and 64 percent of Internet users – in the survey conducted by Pew had said they heard about the bug, only 19 percent admitted to hearing “a lot” about it, while 41 percent said they heard “a little” about it.

By comparison 46 percent of respondents said they heard “a lot” about the tensions in the Ukraine and 51 percent of adults said they heard “a lot” about Edward Snowden’s leaking of data from the National Security Agency programs.

“There are some people who are pretty tuned in and are in an action frame of mind and then there others that don’t know about the news that is breaking,” Lee Rainie, director of Pew Research’s Internet Project, told the Associated Press as reported by the Daily Breeze.

Pew’s telephone survey of 1,501 adults was taken in the US from April 23-27.

At the corporate level threats such as Heartbleed remain an issue not just because of a lack of information about this particular threat but moreover because there aren’t enough IT security professionals in place to combat it. The ISACA also noted that Cisco conducted another study estimating that close to 1,000,000 positions for security professionals remain unfilled.

To ensure that these threats are addressed properly the ISACA launched its Cybersecurity Nexus (CSX) program at last week’s North American CACS conference. The CSX was developed in collaboration with security officers and cybersecurity experts from leading companies around the world.

“Unless the industry moves now to address the cybersecurity skills crisis, threats like major retail data breaches and the Heartbleed bug will continue to outpace the ability of organizations to defend against them,” said Robert Stroud, ISACA international president-elect and vice president of strategy and innovation for IT Business Management at CA Technologies, in a statement. “ISACA is proud to help close this gap with a comprehensive program that provides expert-level cybersecurity resources tailored to each stage in a cybersecurity professional’s career.”